A new email ransomware campaign is spreading around the world. Researchers at Fortinet say it’s a spam effort, meaning the messages are not targeted. Instead they are addressed generally, like “Dear customer.” The subject line in the email would be something like “Document number…”, “Your order number” or “Ticket number.” With the email is a malicious attachment that leads to the installation of malware. The initial targets are corporate mail servers used to forward this email. These have been found in Canada, the U.S. the United Kingdom and other countries. 

The best defense against ransomware – or any email-delivered malware – is to watch out for it. Be cautious about unsolicited emails, especially those with attachments. And it’s vital you always have a separate backup of your data made it a way that can’t be infected, just in case you make a mistake.

Meanwhile McAfee reports some Canadian organizations have been victimized by a separate operation. A group security that researchers call Hidden Cobra, believed to be backed by North Korea, has been putting surveillance software on the systems of companies. The suspicion is the Canadian victims have been used as listening or data relay points. The malware that this campaign has installed has not stolen financial or sensitive data but appears to be there find out what’s on a computer, and be ready to launch further attacks.

Companies have to make sure their systems have the latest security patches. In addition, because the malware appears to be distributed through email, employees have to be reminded to be careful on what they click on.

For more on this see my story today on ITWorldCanada.com.

The U.S. National Security Agency has just suffered a black eye from an international standards body. According to a blog on Bitdefender, the International Organization of Standardization – known more commonly as ISO – rejected two new encryption algorithms suggested by the NSA to secure Internet of Things devices. The algorithms would scramble information on Internet-connected devices like home surveillance cameras and toys. But the NSA’s reputation for creating tools to hack into applications apparently give it a bad name at the ISO. One ISO delegate accused the NSA of telling half-truths and lies in its presentation.

If that allegation is accurate, it isn’t good. Internet of Things devices badly need better security. People and companies around the world buy tens of thousands of them a year. Insecure devices don’t improve security.

That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.

Traditionally, the mission of the CISO has been to convince the CEO of the capabilities the organisation must put in place to prevent and follow-up on threats and manage crises. At the helm of IT security, CISOs are in their element overseeing the security operations centre (SOC), incident response teams and forensics experts to address threats. But now, many are being forced outside of their comfort zone. With global attacks dominating television news and headlines in Europe, US and the UK, cybersecurity is top of mind for CEOs and their Boards. And this means that the role of the CISO is expanding.

According to Aon’s 2017 Global Risk Management Survey, cybercrime is now number five among the top 10 concerns for risk decision-makers globally, above failure to innovate, failure to attract and retain top talent, business interruption, political risk/uncertainties and third-party liability. Each time a high-profile attack happens, the CISO gets a phone call from the CEO asking questions like: Are we at risk? Should we be doing something? It is no longer enough to let the CEO know that the organization has not yet been attacked. CISOs need to expand their leadership role and actively engage in risk management.

I have had the opportunity to speak with many CISOs who validate that their jobs are changing.

“Before, we had to fight to explain to the CEO that it would be interesting to know what was coming in and out of our systems,” said Benoit Moreau, CISO of the French ministry of national education and research. “Now, we are expected to have a fine perception of each element of our ‘information ecosystem’ and the interactions that drive it to succeed to predict, almost in real time, the consequences of any stimulus. Our systems have undergone a dazzling Darwinian evolution, driven by new technologies and uses. They went from monocellular organisms that were individually secured to complex protean organisms close to life.”

Today, when the external threat landscape changes and the CEO inevitably calls, CISOs need to respond differently. They need to have situational understanding, be prepared to make decisions on the spot and communicate how they will ensure risk remains at an acceptable level. Moreau explains, “The CISO must equip himself to have ‘awareness’ of the security infrastructure as a whole – to feel the problems, to detect the symptoms. He must understand weaknesses, threats and health risks. He must strengthen his defenses, have the means to carry out further analysis in case of doubt, to inoculate or provide other treatments, and even to amputate in the event of the spread of deadly agents. It is no longer a question for the CISO to deploy some white blood cells, but to be the healthy mind in a healthy body, a robust organism with an effective immune system.”

As a CISO, what does it take to embrace this important change in your role? To begin with, you need instant access to as much information as possible about an attack or campaign. This includes an adversary’s targets and motivations; their tools, techniques, and procedures (TTPs) including tactics and vulnerabilities that may put the organization at risk; as well as the countermeasures available.

Most organizations already have much of this information, but it is spread across many different departments, in multiple external threat data feeds, in your layers of security products, in your SIEM that store logs and events and in analysts’ brains. What you need is a single source of truth – a centralized repository for all this data that you can continuously augment and enrich so that it is contextualized, relevant and prioritized. With a hub for storing, updating and accessing threat intelligence, your teams can learn and share knowledge to assess whether a threat poses short-term danger and determine the appropriate actions. But barriers remain.

Traditionally, siloed teams work independently and in a vacuum without the ability to collaborate throughout the analysis process and execute a coordinated response as needed. Working on parallel tasks, they can miss key commonalities. All teams must be able to work together in a single shared environment for a greater understanding and focus throughout the situation analysis and response process. Using visualization and documentation they can quickly see threat data, evidence, and actions across all the various departments and individual involved in the investigation.

With visibility into this collaborative environment and the situation analysis as it unfolds, CISOs can coordinate between teams and actions taken. A global picture provides the information you need to reply with greater confidence to your CEO’s questions. You can gauge if you’re adequately prepared to withstand an attack and let your CEO know. Or, if not, you can direct the appropriate action faster and assure your CEO you’re taking the right actions to mitigate risk.

Reacting to massive, global threats is a new phenomenon and a new responsibility added to CISOs’ day-to-day tasks. The moment you become aware of a potential new attack, you must be able to assess risk, anticipate potential impact and start crisis management. When a threat is detected, you must be able to respond quickly and comprehensively while maintaining business continuity. It’s no longer enough to protect the organization from an attack – you must be able to handle a crisis even if you aren’t under attack.

Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.

The framework was developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. A President Obama-issued executive order calls for developing a set of standards, guidelines, and practices to help organizations charged with providing the nation’s financial, energy, health care, and other critical systems better protect their information and physical assets from cyberattacks. 

Like the first version, Version 1.1 of the framework was created through public-private collaboration via recommendations, drafts, and comment periods. Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure, among other changes.

The update has renamed the Access Control Category to Identity Management and Access Control to better account for authentication, authorization, and identity-proofing.

It also has added a new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.

On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena. In contrast, a new section (3.4) focuses on buying decisions and the use of the framework in understanding risk associated with commercial off-the-shelf products and services. Additional risk-management criteria were added to the Implementation Tiers for the framework, and a supply-chain risk-management category has been added to the Framework Core.

Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways an organization can use the framework; and the addition of a subcategory related to the vulnerability disclosure lifecycle.

“This update refines, clarifies, and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an organization’s business or mission needs. It applies to various technology environments such as information technology, industrial control systems, and the Internet of Things (IoT).”

Its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors and federal, state, and local governments.

“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving government, industry, and academia stakeholders.”

So far, adoption of the framework has been relatively widespread: PwC’s 2018 Global State of Information Security Survey (GSISS), for instance, found that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. The report also found that financial institution clients widely embraced benchmarking their cyber risk management programs against the NIST Cybersecurity Framework.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs.”

Efforts to expand its influence are continuing: In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Also, NIST noted that corporation,s, organizations, and countries around the world, including Italy, Israel, and Uruguay, have adopted the framework or their adaptation.

Meanwhile, to help ease the adoption process, the Information Security Forum (ISF) has mapped the framework and its annual Standard of Good Practice for IT security professionals. Last year, IT governance organization ISACA launched an audit program aligning the NIST framework with COBIT 5, designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber-threats and protect against them.

“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes crucial development, alignment, and collaboration areas.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies, and industries evolve. With this update, we’ve demonstrated a good process for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”

Cyber Security Is The Backbone Any Online Businesses – Here Are Some Quick Tips To Keep Yourself Informed About The Latest Threats Surrounding Your Business.

Within a standard nine to five working day, it’s said that there are almost two million data records lost or stolen. Cybercrime has become something of an epidemic in recent years – and it’s no exaggeration to say that everyone is at risk.

Hackers operate in an increasingly complex way and are happy to target small businesses and individuals, who are most likely to be vulnerable to attack. The nature of the threat changes as technology advances and so the only way to stay safe is to stay up to date.

But that’s easier said than done, right? How do you keep up to date with the latest cybersecurity developments?

Follow The News

When it comes to cyber security, ignorance is not bliss – it’s a recipe for disaster. It’s imperative that you identify and follow a news feed that you can trust. By doing so, you can keep on top of any fresh threats that have emerged, learn lessons from other cyber attacks and pick up the latest tips and advice from influencers and experts in this field.

News from this sector really shouldn’t be seen as the preserve of IT specialists – the scale and nature of the threat suggest that this should be of interest to everyone. There’s a burgeoning band of podcasts available on the subject for people who prefer to digest content in this way too.

Bring Up The ‘Security Question’

If you think that installing an anti-virus program is enough, then you’re mistaken. Don’t just presume that you’re safe because you have this because this is merely the first line of defense to root out attacks. By adopting a safety first mindset you can ensure that the way you handle your data is less risky.

Whether it’s securing your Wi-Fi network at home, managing and updating your passwords on a regular basis or the way you collect, collate and analyze data throughthe point of sale software at work, continually ask yourself ‘is this safe?’ Just as ignorance isn’t bliss, complacency could prove your undoing. Place ‘security’ high on the list of credentials to consider when buying new software or hardware, don’t just go for the cheapest option.

Training

Even the experts are constantly having to refresh their understanding of the threat posed by cyber attacks. It pays to search out training opportunities, especially if you’re a business. You are, after all, only as safe as the people operating your software and systems and you don’t want to put the security of your business in the hands of someone who is unsure about what they are doing. Individuals and businesses alike can find free learning materials on Cybrary to help plug any knowledge gaps they have.

It’s Good To Talk

Cyber attacks are incredibly common – but people don’t often enough talk about their experiences. Perhaps you’re afraid or embarrassed to have been caught out? There’s no need to be. In fact, talking with friends and colleagues could really help you to stay safe. Pass on tips about new apps, good software, neat tips and tricks and any new cyber attack tactics you have come across and you can help to do your own bit to combat the criminals.

By keeping up to speed with security news, refreshing your training, sharing tips and tricks and adopting a safety first attitude you’ll give yourself the best possible chance of staying on top of cyber security developments and, best of all, safe.

Security Consulting

Many people who sell security products call themselves security consultants and they are part of the security field, but there are also security consultants who don't sell products. These individuals are paid on an hourly or project basis to help clients, usually, corporations, protect their personnel and property. Property security embraces both real estate and tangible equipment as well as other assets like client lists and proprietary technology. Employee and customer theft, as well as piracy, are possible focuses for a security consulting practice. Technical security consultants are knowledgeable about products, such as electronic security systems, including their development and how to apply them. The work may involve system design as well as drafting plans and documents.

Computer Security

While virtually all security consultants employ computer technology in their work, the computer security niche specifically involves protecting computer systems and networks themselves against unauthorized use and abuse. A computer security consultant often specializes in particular operating systems such as UNIX, LINUX or Windows.

Site Consulting

Whether it's new construction or remodeling, virtually every building and office-be it a high-tech industrial complex, retail franchise, distribution center, self-storage facility, housing development, hotel, resort, casino, parking lot or law firm-is interested in some aspect of site security. Security site consultants evaluate the physical design of such buildings and spaces, determine what security problems a sites poses and recommend countermeasures, such as guards, electronic security with cameras and electric lights, or a combination of methods and policies.

System Design

Security system designers develop specifications and provide architectural or engineering support in the design phase of a security consulting project. System designers may also develop new electronic security tools to be used at a particular location.

Forensic Consulting

Forensic security consultants serve as expert witnesses in trials in which security breaches are at issue, such as with fires, thefts, break-ins, and so on. Forensic consultants may specialize in any of the above fields.

As a security practitioner, you can also develop niches for your work based on the type of clients you work with, such as museums or historical sites, shipyards and airports. Unlike professional investigators, security consultants don't have to be licensed by state agencies. However, there are professional associations you can join and certification programs you can complete, which may help foster a sense of trust with your clients. One of the larger associations, which provides certification.

Specializing is key to marketing a security specialty business because it will help you more easily identify and market to clients who need such services, such as architects and contractors or members of a particular industry, such as software developers or law firms. You'll be soliciting work and attracting clients by making presentations and speeches or networking in organizations where you can showcase your expertise. In addition to your knowledge of security, you must be prepared to develop your speaking skills in order to attract new business.